HAProxy ALOHA Documentation 15.5

Instances

An instance defines entry points (physical interfaces) in PacketShield and one or more applicable rule sets (context).

  • An instance is designated by a name.

  • Each instance owns its own session table and configuration.

Use sysfs entry

You manage instances using the sysfs entry /sys/packetshield/instances.

Create an instance

Using the GUI

Use the statement instances followed by the <instance name>.

instances myinst

Using sysfs

Write +<instance name> in the sysfs entry.

$ echo "+myinst" > /sys/packetshield/instances

Destroy an instance

Using the GUI

Remove the instances line that creates it.

Using sysfs

Write -<instance name> in the sysfs entry.

$ echo "-myinstance" > /sys/packetshield/instances

List a currently configured instance

This function is only available using the CLI.

Read the content of the file /sys/packetshield/instances.

$ cat /sys/packetshield/instances
myinst3
myinst2
myinst1

Set options

sysfs

Display and set options using respectively read / write operations on sysfs files present in the directory /sys/packetshield/<instance name>/<option>.

$ echo 30 > /sys/packetshield/myinst/ack_session_timeout
$ echo 4 > /sys/packetshield/myinst/syn_session_timeout

GUI

Configure options using the following scheme: <instance name>/<option> followed by the desired parameter value.

myinst/ack_session_timeout 30
myinst/syn_session_timeout 4

The following options are available:

Option

Default

Description

ack_session_timeout

60 s

When an ACK packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value

syn_session_timeout

10 s

When a SYN packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value

rst_session_timeout

60 s

When an RST packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value

dns_session_timeout

60 s

When a DNS response packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding DNS request is greater than this value

udp_session_timeout

60 s

When a UDP packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding UDP outgoing packet is greater than this value.

qhs_session_timeout

10 s

When a QUIC handshake packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or the last outgoing init packet is greater than this value.

qsh_session_timeout

60 s

When a QUIC short header packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or short header is greater than this value.

Get instance statistics

This function is only available using CLI.

You can get an instance's statistics counters using the sysfs entry /sys/packetshield/<instance name>/stats.

$ cat /sys/packetshield/myinst/stats
rx_total  : 56741
capmissed : 56502
tx_total  : 11329

rx_total

total incoming packets on current instance

tx_total

total outgoing packets on current instance (except packets generated by PacketShield like SYN cookies)

capmissed

incoming packets not copied to debugging capture slots

Debug instance

This function is only available using CLI.

PacketShield provides interfaces to retrieve all incoming packets captured on an instance.

This interfaces are available in the directory /sys/packetshield/<instance name>/

raw.cap

This sysfs entry is directly readable and provides capture in pcap format. This interface provides limited performance because a sysfs read operation cannot return more that one page size (4096 bytes). Also, a read operation induces a memory copy of all packets captured.

$ tcpdump -r /sys/packetshield/myinst/raw.cap
reading from file raw.cap, link-type EN10MB (Ethernet)

capture.map

A read operation on this sysfs entry returns the size of packets captured available in a memory slot (4 bytes). An mmap on the same file descriptor using this size provides direct access (via pointer) to a full slot. This interface provides superior performance compared to the raw.cap interface.


Next up

LVS and Synproxy